In this paper we present a broad, empirical analysis of Internet intrusion activity using a large set of NIDS and firewall logs collected over a four month period
Internet intrusions: global characteristics and prevalence
SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Mo..., no. 1 (2003): 138-147
Network intrusions have been a fact of life in the Internet for many years. However, as is the case with many other types of Internet-wide phenomena, gaining insight into the global characteristics of intrusions is challenging. In this paper we address this problem by systematically analyzing a set of firewall logs collected over four mon...更多
下载 PDF 全文
- 4.1 The Worms
the authors provide background information on the major Internet worms released over the last two years.
- The authors first describe the major port 80 worms CodeRed I/II and Nimda.
- This is important because port 80 scans still form the single most dominant group of scans accounting for nearly 20% 60% of all scans in any given day.
- The release date for Nimda was Sep 18, 2001 and so the port 80 scans in the August 2001 dataset are exclusively CodeRed. The authors describe the SQL-Snake–a worm which affects Microsoft SQL Servers
- 4.1 The Worms
we provide background information on the major Internet worms released over the last two years
- We show that the less than a day and required countless hours to eradicate from distribution of source IP addresses of the non-worm intrusions systems
- In this paper we present a broad, empirical analysis of Internet intrusion activity using a large set of NIDS and firewall logs collected over a four month period
- We found daily intrusion activity as seen in our data to be highly variable ranging from between about 1M to 3M scans per day
- We find that while 60-70% of all non-worm scans are horizontal scans, the daily number of horizontal scan episodes is typically lower than vertical scan episodes
- We find total intrusion activity to be as high as 25B per day and that non-port 80 scans increased by approximately 25% over our measurement period
- SUMMARY AND CONCLUSION
In this paper the authors present a broad, empirical analysis of Internet intrusion activity using a large set of NIDS and firewall logs collected over a four month period.
- The authors found daily intrusion activity as seen in the data to be highly variable ranging from between about 1M to 3M scans per day.
- The authors' breakdown of scan types shows the predictably large amount of worm activity, and a large amount of scanning directed toward ports other than 80.
- The authors find total intrusion activity to be as high as 25B per day and that non-port 80 scans increased by approximately 25% over the measurement period
- Table1: Sample log entries from DSHIELD portscan logs
- Table2: Monthly summary of studied DSHIELD logs
- The work by Moore et al is motivated by the question, “how prevalent are denial-of-service attacks in the Internet today?” . Our work is similar in spirit although we address the general question of intrusions and are not specifically focused on DoS activity. Staniford et al report on recent worm activity (Code Red, Nimda) in  and project the possibilities of much more serious worm threats in the future. Cowie et al present a different perspective on the same work by examining hour long periods of “widespread instabilities” in global BGP system in July and September of 2001 . They describe the idea of “worm induced traffic diversity” that is unlike other normal traffic experienced by routers and is the primary cause of the BGP instabilities.
Our work has implications in development and configuration of network intrusion detection systems. Many such systems have been developed and deployed (eg. [18, 19]). The standard approach for recognizing an intrusion is to create
- The dataset was obtained from DSHIELD.ORG – a research effort funded by SANS Institute as part of its Internet Storm Center
- George Bakos. SQLsnake code analysis. http://www.incidents.org/diary/diary.php?− id=157, 2002.
- Paul Barford, Azer Bestavros, John Byers, and Mark Crovella. On the marginal utility of network topology measurements. In Proceedings of ACM SIGCOMM Internet Measurement Workshop, San Francisco, CA, November 2001.
- CAIDA. CodeRed Worms a Global Threat. http://www.caida.org/analysis/security/code − red/, 2001.
- CERT Coordination Center. http://www.cert.org, 2001.
- James Cowie, Andy T. Ogielski, BJ Premore, and Yougu Yuan. Global Routing Instabilities Triggered by CodeRed II and Nimda Worm Attacks. http://www.renesys.com/projects/bgp instability, 2001.
- Frederic Cuppens and Alexandre Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of IEEE Symposium on Security and Privacy, 2002.
- Kevin Van Dixon. Spoof bounce. http://rr.sans.org/intrusion/spoof.php, 2001.
- Michalis Faloutsos, Petros Faloutsos, and Christos Faloutsos. On power-law relationships of the internet topology. In Proceedings of ACM SIGCOMM, 1999.
- Robert Gray. Entrophy and Information Theory. Springer-Verlag, 1990.
- HoneyNet Project. Know Your Enemy: Honeynets. http://project.honeynet.org, 2001.
- Brad Huffaker, Andre Broido, Kim Claffy, Marina Fomenkov, Sean McCreary, David Moore, and Oliver Jakubiec. Visualizing internet topology at a macrosocopic scale. http://www.caida.org/− analysis/topology/as core network/about.xml/, 2001.
- Eeye Security Inc. Microsoft IIS Buffer Overflow Advisory. http://www.eeye.com/html/− Research/Advisories/AD20010618.html, 2001.
- Richard Lippmann, David J. Fried, Isaac Graf, Joshua W. Haines, Kristopher R. Kendall, David McClung, Dan Weber, Seth E. Webster, Dan Wyschogrod, Robert K. Cunningham, and Marc A. Zissman. Evaluating Intrusion Detection systems: 1998 DARPA Off-line Intrusion Detection Evaluation. In Proceedings of IEEE Security Symposium, 1998.
- McAfee. Virus alert. http://vil.nai.com/vil/content/v 9949.htm, 2002.
- David Meyer. University of Oregon Route Views Project. http://antc.uoregon.edu/route − views/, 2002.
- David Moore. Network Telescopes: Observing Small or Distant Security Events. http://www.caida.org/− outreach/presentations/2002/usenix sec/, 2002.
- David Moore, Goeffrey Voelker, and Stefan Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, 2001.
- Vern Paxson. BRO: A System for Detecting Network Intruders in Real Time. In Proceedings of the 7th USENIX Security Symposium, 1998.
- Marty Roesch. The SNORT Network Intrusion Detection System. http://www.snort.org, 2002.
- Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson. Practical Network Support for IP Traceback. In Proceedings of ACM SIGCOMM, 2000.
- Alex Snoeren, Craig Partridge, Luis Sanchez, Christine Jones, Fabrice Tchakountio, and Stephen Kent. Hash Based IP Traceback. In Proceedings of ACM SIGCOMM, 2001.
- Stuart Staniford, James Hoagland, and Joseph McAlerney. Practical Automated Detection of Stealthy Portscans. In Journal of Computer Security, 2002.
- Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium, 2002.
- Johannes Ullrich. DSHIELD. http://www.dshield.org, 2000.
- Johannes Ullrich. MSSQL worm (sqlsnake) on the rise. http://www.incidents.org/diary/diary.php?− id=156, 2002.
- Yin Zhang and Vern Paxson. Detecting Stepping Stones. In Proceedings of the 9th USENIX Security Symposium, 2000.
- G. Zipf. Human Behavior and the Principle of Least-Effort. Addison-Wesley, Cambridge, MA, 1949.